Thursday, July 7, 2016

How to disable MAC learning in a Linux bridge

Question: I am troubleshooting Ethernet bridging which I set up with a Linux bridge, and I would like to disable MAC learning on the Linux bridge. How can I do that?
An Ethernet bridge is a network component which interconnects multiple Ethernet networks by forwarding packets from one network to another. Linux has a software implementation of the Ethernet bridge (called "Linux bridge") incorporated into the kernel since 2.6. A Linux bridge is often used to set up a transparent proxy/firewall, or to work as a virtual switch which interconnects multiple virtual machines and containers created on a host.
Like a hardware Ethernet bridge, a Linux bridge comes with MAC address learning capability built-in. so that it knows how (i.e., to which port) to forward a network packet.
Suppose you would like to disable MAC address learning in a Linux bridge for whatever reason. For example, you want to "inject" artificial traffic into the bridge for experimental purposes. Or your network is under attack; a large amount of packets with different source MAC addresses are filling up the MAC learning table. Or you want to manage MAC forwarding table on your own, without relying on the default learning table.
This post describes who to disable MAC address learning in a Linux bridge.
Note: Once MAC learning is turned off, a Linux bridge will flood every incoming packet to the rest of the ports. Understand this implication before proceeding.

MAC Address Learning vs. Ageing Time

When a Linux bridge receives a packet with a new source MAC address from a particular bridge port, it stores the MAC address along with the port number in its MAC learning table. A timer is associated with each entry in the table, so that the entry expires after a certain period (so-called "ageing time"), unless it is refreshed before then. By default the ageing time in a Linux bridge is set to 300 seconds.
If you want to disable MAC address learning in a Linux bridge, you need to set the "ageing time" to 0. Let's find out how you can actually do it.

Disable MAC Address Learning in a Linux Bridge from the Command Line

Without disabling MAC learning, a Linux bridge will learn and store one or more "non-local" MAC addresses in the MAC learning table. To check the current MAC learning table:
$ sudo brctl showmacs

To view the current ageing time of a bridge, run:
$ brctl showstp

To turn off the bridge's MAC address learning, set its ageing time to 0 as follows.
$ sudo brctl setageing 0

Once MAC learning is deactivated, the bridge's MAC learning table will no longer contain any non-local MAC address.
Note that any change made with the brctl command (including MAC learning deactivation) does not survive reboots. If you want to turn off MAC learning permanently, read on.

Disable MAC Address Learning in a Linux Bridge Permanently

If you define a Linux bridge in /etc/network/interfaces (e.g., on Debian-based system), add "bridge_ageing 0" under the bridge configuration. For example:
auto br0
iface br0 inet static
    bridge_ports eth0 eth1
    bridge_ageing 0
If you configure a Linux bridge with Network Manager, set "Aging time" to 0 in the bridge editing menu.

Download this article as ad-free PDF (made possible by your kind donation): 
Download PDF

No comments:

Post a Comment